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DETAILED ACTION 



1. Claims 1, 3-4, 6-14, 16-40, 42-50, and 52-57 are pending. 

2. Amendment submitted 7 March 2005 has been entered and considered. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1 , 3-4, 6-14, 16-40, 42-50, and 52- 
57 have been considered but are moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1, 3-4, 6, 14, 18-21, 25-26, 32, 34, 37-40, 42, 50, and 54-56 are rejected 
under 35 U.S.C. 103(a) as being unpatentable over Gleichauf et al US Patent No. 
6,301,668 in view of Vaidya US Patent No. 6,279,113. Gleichauf discloses a method for 
adaptive network security using network vulnerability assessments. Vaidya discloses a 
dynamic signature inspection system for network security. 



Application/Control Number: 09/874,574 Page 3 

Art Unit: 2134 

6. With regards to claims 1 , 14, 18, 37, 50, 54, 56, Gleichauf teaches the detecting 
of a data signature (Gleichauf, column 6 lines 36-45) and the correlating of the data 
signature with a fingerprint of the target to determine to what extent the target is 
vulnerable to the data signature (Gleichauf, column 6 lines 51-56, likelihood of success). 
Gleichauf fails to teach the detecting, correlating, and evaluating of data signatures at 
the application layer. Vaidya teaches the evaluating of communications at the 
application layer (Vaidya, column 10 lines 25-45, application layer, column 8 lines 1-24) 
and evaluating contextual information related to the data signature to determine a 
likelihood that said target is under attack, the contextual information comprising at least 
one of an application layer data field type used to encapsulate the data signature and 
an application layer protocol type used to transmit the data signature (Vaidya, column 
10 lines 25-45, column 10 lines 16-21). At the time the invention was made, it would 
have been obvious to a person of ordinary skill in the art to utilize Vaidya's method of 
evaluating application layer communications because it offers the advantage of greater 
security by ensuring that attacks based on any of the OSI's seven layers may be 
detected and the assurance that sensitive files will be monitored to stop unlawful access 
(Vaidya, column 4 lines 29-39, column 1 lines 19-45). 

7. With regards to claims 25, 34, 38, Gleichauf as modified teaches the evaluating 
of contextual information relating to the data signature to determine a likelihood that the 
target is under attack (Gleichauf, column 6 lines 25-36). 

8. With regards to claims 3, 20, 39, Gleichauf as modified teaches the fingerprint 
including a target node's operating system (Gleichauf, column 3 lines 62-65). 
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9. With regards to claims 4, 21 , 40, Gleichauf as modified teaches the fingerprint 
including the node's processor type (Gleichauf, column 3 lines 62-65, devices, column 7 
lines 1-4). 

10. With regards to claims 26, Gleichauf as modified teaches the contextual 
information including a particular network protocol with which the data signature was 
transmitted (Gleichauf, column 8 lines 28-45, column 6 lines 25-36). 

1 1 . With regards to claim 6, 42, Gleichauf as modified teaches the generating of a 
first alert condition upon determining that the target node is vulnerable to the data 
signature (Gleichauf, column 8 lines 28-52, determined probability of success, 
prioritizing monitoring). 

12. With regards to claims 19, 55, Gleichauf as modified teaches the fingerprint 
including a particular service executed on the target (Gleichauf, column 7 lines 51-60, 
services). 

13. With regards to claim 32, Gleichauf as modified teaches the profiling of the target 
to determine which ports are open by passively listening to what traffic succeeds in 
talking to/from the target (Gleichauf, column 7 lines 40-49). 

14. Claims 7-8, 10-12, 22, 27, 29-31, 43-44, 46-48, 57 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Gleichauf et al US Patent No. 6,301 ,668 and Vaidya 
US Patent No. 6,279, 1 1 3, as applied to claims 1,18, 25, 37, 44, and 56 above, and in 
further view of Conklin et al US Patent No. 5,991 ,881 . Conklin teaches a network 
surveillance system. 
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15. With regards to claims 7, 43, Gleichauf as modified fails to teach the listening for 
a response to a data signature from the target. Conklin teaches the listening for a 
response to a data signature from the target (Conklin, column 6 lines 21-43, column 7 
lines 25-29, evidence logging function). At the time the invention was made, it would 
have been obvious to a person of ordinary skill in the art to utilize Conklin's method of 
listening with Gleichauf s adaptive security system because it offers the advantage of 
ensuring continuing reporting of all pertinent activities following the detection of a 
predefined alert condition (Conklin, column 1 lines 35-49). 

16. With regards to claims 8, 44, Gleichauf as modified teaches the determining 
whether the target node's response or lack of a response is suspicious (Gleichauf, 
column 7 lines 29-38). 

17. With regards to claims 10, 46, Gleichauf as modified teaches the generating of a 
second alert condition upon determining that the target node's response or lock of a 
response is suspicious (Conklin, column 7 lines 25-38, alert notification). 

18. With regards to claims 1 1 , 47, Gleichauf as modified teaches the combining of 
the second alert with the first, thereby updating the first alert with information within the 
second alert (Conklin, column 8 lines 6-14, column 7 lines 44-50). 

19. With regards to claims 12, 48, Gleichauf as modified fails to teach the listening 
for behavior of the target node and sending an alert condition. Conklin teaches the 
listening for behavior of the target node (Conklin, column 8 lines 1-5) and generating a 
second alert condition upon determining that the target node's behavior is suspicious 
(Gleichauf, column 7 lines 51-61). At the time the invention was made, it would have 
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been obvious to a person of ordinary skill in the art to utilize Conklin's method of 
listening to the behavior of the target with Gleichauf s adaptive security system because 
it offers the advantage of ensuring continuing reporting of all pertinent activities 
following the detection of a predefined alert condition (Conklin, column 1 lines 35-49). 

20. With regards to claims 22, 29 and 57, Gleichauf as modified fails to teach the 
monitoring of responses from the target following the data signature and determining a 
likelihood of whether the target is under attack based on the data signatures of the 
responses. Conklin teaches the monitoring of responses from the target following the 
data signature and determining a likelihood of whether the target is under attack based 
on the data signatures of the responses (Gleichauf, column 7 lines 29-38). At the time 
the invention was made, it would have been obvious to a person of ordinary skill in the 
art to utilize Conklin's method of listening with Gleichauf s adaptive security system 
because it offers the advantage of ensuring continuing reporting of all pertinent activities 
following the detection of a predefined alert condition (Conklin, column 1 lines 35-49). 

21 . With regards to claim 27, Gleichauf as modified fails to teach the protocol being 
FTP. Conklin teaches the protocol being FTP (Conklin, column 3 lines 8-14). At the 
time the invention was made, it would have been obvious to a person of ordinary skill in 
the art to use Conklin's method of monitoring FTP with Gleichauf s adaptive security 
system because it offers the advantage of allowing the monitoring of one of the principal 
network protocols used to transfer files. 

22. With regards to claims 30-31 , Gleichauf as modified fails to teach the current 
state comprising an inbound or outbound connection from the target following a 
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detected signature. Conklin teaches the current state comprising an inbound or 
outbound connection from the target following a detected signature (Conklin, column 8 
lines 1-5). At the time the invention was made, it would have been obvious to a person 
of ordinary skill in the art to utilize Conklin's method of listening with Gleichauf s 
adaptive security system because it offers the advantage of ensuring continuing 
reporting of all pertinent activities following the detection of a predefined alert condition 
(Conklin, column 1 lines 35-49). 

23. Claims 9, 23 and 45 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668, Vaidya US Patent No. 6,279,1 13, and 
Conklin et al US Patent No. 5,991,881, as applied to claims 8, 22, and 44 above, and in 
further view of Krumel US PGPub 2002/0083331 . 

24. With regards to claims 9, 23 and 45, Gleichauf as modified above fail to teach the 
determining if a packet is an unknown command. Krumel teaches the determining if a 
packet is an unknown command (Krumel, Page 7, Paragraph 0085, unknown packet 
type). At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to utilize Krumel's method of detecting unknown commands 
because it offers the advantage of ensuring that no packets that do not fit set security 
filters are allowed to pass in and out of a network (Krumel, Page 7, Paragraph 0085 and 
Page 7 Paragraph 0087). 
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25. Claims 13 and 49 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668, Vaidya US Patent No. 6,279,1 13 and 
Conklin et al US Patent No. 5,991,881, as applied to claims 11 and 47 above, and in 
further view of Zhang et al "Detecting Backdoors." 

26. With regards to claims 13 and 49, Gleichauf as modified above fails to teach 
suspicious behavior comprising the transmitting of a root shell prompt to a suspect 
node. Zhang teaches teach suspicious behavior comprising the transmitting of a root 
shell prompt to a suspect node (Zhang, Page 12, Section 4.5, Root Backdoor). At the 
time the invention was made, it would have been obvious to a person of ordinary skill in 
the art to utilize Zhang's method of detecting root shell transmissions with Gleichauf as 
modified because it offers the advantage of preventing an attack from gaining 
unauthorized access to a system by the use of a backdoor (Zhang, Page 1 Section 

1. Introduction). 

27. Claims 16, 35, and 52 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Gleichauf et a! US Patent No. 6,301,668 and Vaidya US Patent No. 
6,279,1 13, as applied to claims 4, 26, and 50 above, and in further view of Ji et al US 
Patent No. 6,728,886. Ji discloses a distributed virus scanning arrangement. 

28. With regards to claims 16, 35, and 52, Gleichauf, as modified above, fails to 
teach the protocol being HTTP protocol. Ji teaches a data signature being a message 
in the form of the HTTP protocol (Ji, column 6 lines 23-38). At the time the invention 
was made, it would have been obvious to a person of ordinary skill in the art to utilize 
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Ji's method of detecting HTTP with Gleichauf s adaptive security system because it 
offers the advantage of allowing the monitoring of a popular method of transferring data 
across the internet thus reducing the likelihood of a security breach (Ji, column 1 line 63 
- column 2 line 8). 

29. Claims 17 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301,668, Vaidya US Patent No. 6,279,1 13, and Ji 
et al US Patent No. 6,728,886, as applied to claim 16 above, and in further view of 
Farrow "Security Reality Check." 

30. With regards to claims 17 and 53, Gleichauf as modified above fails to teach the 
detecting of a data signature of "cgi-bin/phf." Farrow teaches the detection of the data 
signature of "cgi-bin/phf (Farrow, Page 2, "Stealth Attacks" Paragraph 4). At the time 
the invention was made, it would have been obvious to a person of ordinary skill in the 
art to utilize Farrow's method of detecting the data signature of "cgi-bin/phf because it 
offers the advantage of helping prevent attacks because the data signature is a valid 
indication of an attack upon a system (Farrow, Page 2, "Stealth Attacks" Paragraph 4). 

31. Claim 24 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gleichauf et al US Patent No. 6,301 ,668, Vaidya US Patent No. 6,279,1 13, Conklin et al 
US Patent No. 5,991,881, and Krumel US PGPub 2002/0083331, as applied to claim 23 
above, and in further view of Zhang et al "Detecting Backdoors." 
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32. With regards to claim 24, Gleichauf as modified teaches the data signature being 
FTP (Conklin, column 3 lines 8-14), but fails to teach the response being a raw shell 
connection. Zhang teaches teach suspicious behavior comprising the transmitting of a 
root shell prompt to a suspect node (Zhang, Page 12, Section 4.5, Root Backdoor). At 
the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to utilize Zhang's method of detecting root shell transmissions with 
Gleichauf as modified because it offers the advantage of preventing an attack from 
gaining unauthorized access to a system by the use of a backdoor (Zhang, Page 1 
Section 1. Introduction). 

33. Claim 28 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gleichauf et al US Patent No. 6,301,668, Vaidya US Patent No. 6,279,113, and Conklin 
et al US Patent No. 5,991 ,881 , as applied to claim 27 above, and in further view of 
Bernhard et al US Patent No. 6,275,942. 

34. With regards to claim 28, Gleichauf as modified above fails to teach the data 
signature being passwd in a context where filenames are likely to appear. Bernhard 
teaches the data signature being passwd in a context where filenames are likely to 
appear (Bernhard, column 13 lines 20-34). At the time the invention was made, it would 
have been obvious to a person of ordinary skill in the art to utilize Bernhard's method of 
checking for passwd because it offers the advantage of helping ensure that the 
/etc/passwd file remains secure from attacks (Bernhard, column 13 lines 20-34). 
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35. Claims 33 and 36 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gleichauf et al US Patent No. 6,301 ,668 and Vaidya US Patent No. 6,279, 1 1 3, as 
applied to claims 25-26 above, and in further view of Krumel US PGPub 2002/0083331 . 

36. With regards to claim 33, Gleichauf as modified above fails to teach the 
determining if a packet is an unknown command. Krumel teaches the determining if a 
packet is an unknown command (Krumel, Page 7, Paragraph 0085, unknown packet 
type). At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to utilize Krumel's method of detecting unknown commands 
because it offers the advantage of ensuring that no packets that do not fit set security 
filters are allowed to pass in and out of a network (Krumel, Page 7, Paragraph 0085 and 
Page 7 Paragraph 0087). 

37. With regards to claim 36, Gleichauf, as modified above, fails to teach the protocol 
being RPC. Krumel teaches the protocol being RPC (Krumel, pages 23-24, paragraph 
0191 ). At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to utilize Krumers method of monitoring the RPC protocol 
because it offers the advantage of allowing the monitoring of communications between 
gateways and PLD devices (Krumel, pages 23-24, paragraph 0191). 

Conclusion 

38. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Andrew L. Nalven whose telephone number is 571 272 
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3839. The examiner can normally be reached on Monday - Thursday 8-6, Alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on 571 272 3838. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 






